blocking

The profile of Common Vulnerabilities & Exposures (CVEs) has risen in recent years. Organizations now pay far more attention to them than they used to. Of course, there are still plenty of cases on record of companies getting hacked due to failing to patch a CVE from a year or more ago. There are endless examples of companies taking weeks and sometimes months to act once a high-priority CVE after it is issued.

Nevertheless, in the vast majority of cases, CVEs are given almost gospel-like status in organizations. Some build their security response programs largely around issued CVEs. For example, if a CVE has a rating of 7 or above in severity, companies tend to put it to the head of the queue, leaving lower priority patches to be deployed at a later date – or in many cases not at all.

There are numerous flaws in this mode of operation. Cybercriminals have grown wise to this tactic. Yes, hackers search carefully for endpoints and systems that have failed to deploy high priority patches to address CVEs – and they rub their hands in glee when they find yet another inattentive victim. But they also now mount multi-faceted attacks that take advantage of lower-priority flaws that they know are often ignored. Thus, they will launch a campaign simultaneously probing for higher priority and lower-priority CVEs that are unpatched. If only the lower ones are available, they can be used to gain a foothold into the enterprise from which they can exact further damage.

New Research Asserts Open-Source Threats Overrated

JFrog just announced another shortcoming in CVE-oriented security defense programs. Their researchers analyzed the top 10 most prevalent open-source software vulnerabilities in 2022. Their findings? The severity ratings of most CVEs for open-source systems were overrated.

Severity ratings within the National Vulnerability Database (NVD) follow this scoring rubric: Critical severity levels are graded between 9 and 10. High severity is 7 to 8.9. A Medium rating is between 4 and 6.9, and a Low rating goes up to 3.9. However, when JFrog researchers assessed the real-world impact of these vulnerabilities and applied contextual analysis to their evaluations, they found that many of the scores attributed to open-source bugs were overinflated. Since it takes roughly 246 days to remediate a security issue completely, they recommended that security teams only deploy resources on the vulnerabilities that actually matter.

According to the report, most of the open-source vulnerabilities evaluated were much harder to exploit than reported, and therefore were undeserving of a high NVD severity rating. The consequence of following the NVD system, therefore, can sometimes cause organizations to “waste valuable time and resources to mitigate a vulnerability that is extremely unlikely to have any real-world impact on their systems,” said the report.

Prioritizing Vulnerability Remediation Requires Context

At Syxsense, we found a very similar issue across our customer base. Many organizations focus on remediating and patching the most severe vulnerabilities, but often do not have the time to tackle the medium or low severity vulnerabilities. They were simply inundated with the most severe or highest profile CVE for the day. However, that did not mean that those vulnerabilities weren’t relevant. In recent years, we have seen many medium or low severity vulnerabilities being exploited to gain an initial foothold into an enterprise.

This is why we developed a risk and prioritization rating based on an organization’s attack surface with vulnerabilities and endpoint posture. The Syxscore leverages NIST and vendor severity assessments in relation to the health status of the endpoints in your environment. It’s a personalized evaluation of what devices are vulnerable and the criticality of updates to the overall protection of your network, giving you the ability to target endpoints that pose the most serious levels of risk.

While vulnerability severity scores can be helpful, it is simply another data point. What organizations really need is customized context, including the security posture of their endpoints and existing security controls that can reduce the risk of a vulnerability.

Patching is the Key to CVE Remediation Success

Beyond context, patching is a critical component to managing vulnerabilities. Oftentimes, critical vulnerabilities will have patches released quickly – sometimes the same day that the vulnerability is made public. In these cases, keeping up is the most difficult part.

That’s why automation, inventorying, and patch deployment can eliminate long delays in patching programs. If you can constantly prioritize vulnerabilities with context based on your environment, patch the most important ones quickly, and validate that those patches have been applied appropriately, you will reduce your organizational risk and attack surface.

If you want to learn more about automating your patching program, schedule a demo today.

Windows users are notorious for holding onto aging operating systems and PCs many years after their sell-by date. A couple of years back, for example, an entire publishing and events office was discovered to still be running on Windows XP. No doubt there are XP machines sitting about in unsuspected places. Yet Microsoft ended support for that OS a decade ago. Since then, no security updates have been issued for it.

The same thing now applies to Windows 7 and 8. According to StatCounter, Windows 7 accounts for 11% of global Windows users as of September of 2022. Windows 8 has almost 4% market share and XP still manages half a percent. But even though the bulk of users have transitioned to Windows 10 (68% and are being heavily encouraged to make the switch to Windows 11 (currently only accounting for 17% of Windows users), that still leaves a large number running on obsolete, unsupported, and highly insecure OSes.

Windows, after all, rules the desktop and laptop space with three quarters of all installations. Microsoft estimates that 1.5 billion devices worldwide are running on Windows 10 or above. That means several hundred million users continue to run XP, Windows 7, and Windows 8 – and some of them could be lurking within your network or somewhere along your supply chain.

It becomes an urgent priority for organizations to find these users and upgrade them fast. Otherwise, they will no longer qualify for technical assistance and will get no more software updates. Crucial security updates for Windows 7 and 8 have officially ended. Any new exploits that can attack these systems will receive no patches from Microsoft.

Microsoft is asking Windows 7 users to skip 10 and move directly to Windows 11.

“PCs have changed substantially since Windows 7 was first released 10 years ago. Today’s computers are faster, more powerful, and sleeker – plus they come with Windows 11 already installed,” said an official announcement from Microsoft.

In most cases, a PC or laptop upgrade will be required – the new OS has much higher requirements for memory and processing power.

Anyone considering hedging their bets and moving to Windows 10 should know that its support will end in the fall of 2025. Why upgrade yet again in a couple of years and open yourself to yet another round of insecure devices to fix?

Those determined to stick with Windows 7 face an uphill task. Not only is Microsoft abandoning them, so, too, is the rest of the software ecosystem. Google, for example, is about to release a new version of Chrome, which will no longer me operable on Windows 7 or 8. That means no more updates for Chrome users on Windows 7 and 8 i.e., yet another gaping security hole impacting those users.

When Windows 7 supported began to disappear a in 2020, it attracted a great many cybercriminals. They began to look for the OS, knowing that they could penetrate it due to well-known and no longer patched security holes. The FBI issued a warning to private industry to get rid of it as quickly as possible. Many have yet to heed that advice.

Steps to Take Immediately

In light of these announcements, organizations are urged to take the following steps.

1. Conduct a detailed inventory of all operating systems running throughout the enterprise using Syxsense Enterprise.

2. Note all versions of XP, Windows 7 and 8 running, as well as older no longer supported Windows 10 instances (such as versions 1803, 1809, and 1909).

3. Work out a plan on how these machines are to be a) protected right now b) moved to Windows 11, and c) replaced with more modern PCs and laptops that qualify to run Windows 11.

4. Until the migration occurs, place all Windows 7 and 8 systems behind a dedicated firewall and protect them with intrusion prevention and anti-malware tools. Also, disable remote access to those systems unless sit is behind a VPN.

5. Survey your supply chain partners and even customers that have trusted access to your network. Verify that they have no users still on obsolete Windows OSes. Demand that only those on Windows 10 and 11 will be allowed access.

6. Use Syxsense Enterprise to conduct regular vulnerability scans throughout the network, and initiate remediation steps for vulnerabilities found.

7. Set up Syxsense Enterprise to automatically prioritize, deploy patches throughout the enterprise.

Syxsense centrally manages, and fully automates all inventorying, scanning, patching, and remediation. It reviews, verifies, tests, and issues all patches within three hours of issuance. Its software can automatically deploy those patches to all users and devices. It also contains a patch rollback function in one of the rare instances when a problem arises due to a new patch. This represents the most efficient way to deal with the onslaught of new patches. It also frees up IT and security personnel to take care of other urgent areas of security for the enterprise.

For more information, visit: www.Syxsense.com

A recent survey by Foundry Research highlighted the fact that little has changed in the cybersecurity world of late. Organizations remain deeply worried about their inability to spot threats, respond to them in a timely manner, and train staff to avoid being tricked by scammers.

Across public and private sector organizations, the biggest issues were found to be threat response/remediation (55% among public sector and 53% among private sector respondents), improving detection of emerging threats (49% and 47%, respectively), and improving user security awareness (46% and 50%). Further issues cited included securing the supply chain (37% in the private sector compared to 28% among public sector respondents) and enabling secure Work-From-Home (WFH) or remote work (31% compared to 22%).

These findings demonstrate that the basics of security remain areas of difficulty in many government and private organizations. A big part of the issue is that these organizations are overwhelmed by the volume of data they must deal with to maintain a tight security posture. They are inundated with alerts and must trawl through massive logs across multiple applications to try to spot what is going on. Accordingly, the survey revealed that public sector organizations, in particular, struggle to leverage data to detect and prevent threats (63% compared to 49% of private sector respondents) and mitigate cybersecurity events (66% versus 56%). More than half of all agencies and organizations believe that it is challenging to harness data to inform cybersecurity decisions, detect and prevent threats, and mitigate events.

What underlies these challenges? Skills gaps (40% among both public and private sector respondents), lack of resources (31% public sector, 35% private), data integration (28% and 33%), and lack of visibility into the threat landscape (32% and 29%) were cited in the report. These issues inhibit their ability to act on data and resolve security events.

Budget, too, is a major obstacle when it comes to addressing cybersecurity priorities, according to three quarters of organizations surveyed. 48% of public sector respondents reported budgeting as an obstacle to a great extent and another 31% to some extent. In the private sector, 35% say budget impacts them to a great extent (35%) or to some extent (40%). More than one-third said their cybersecurity budgets were too low to address priorities and mandates (44% of public sector, 35% of private sector).

Getting Help with Cybersecurity

These results indicate that organizations need all the help they can get when it comes to cybersecurity. They are having trouble managing the many in-house security tools they have at their disposal, don’t have enough trained personnel to understand their risk posture and respond effectively to threats, and lack adequate budgets to resolve their ongoing security problems. The solution to these woes is to import as much help as possible via SaaS applications for cybersecurity. These can either be delivered directly from the vendor or via an MSP.

Syxsense Enterprise is a SaaS platform that automates the entire process of managing, monitoring, patching, scanning and remediating endpoints anywhere. It provides the necessary level of automation to make it feasible for IT to manage a vast number of endpoints, and soon, an even larger number of IoT devices and sensors. It automates all aspects of endpoint management and security. It is the only way to stay on top of patches, vulnerabilities, and endpoint security.

Alternatively, Syxsense Enterprise can be white labelled and offered to MSPs as a new service for their clientele. The Syxsense Managed Service provider program is designed for MSPs and MSSPs looking to provide a higher level of management services to their customers. It consolidates multiple solutions together into a single offering that includes IT Management, Patch Management, Security Vulnerability Remediation, and a robust policy based Zero Trust product.

Syxsense combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices. Its unified security and endpoint management platform centralizes the three key elements of endpoint security management (vulnerabilities, patch, and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex™ through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm.

For more information, visit: www.Syxsense.com

A new study examined Security Service Edge (SSE) adoption, and the role it plays in establishing a zero-trust architecture. According to the report, SSE’s popularity is reflected in the fact that 71% of cybersecurity professionals are familiar with it, despite it only being around for about two years. In fact, SSE ranks above single sign on (SSO), multifactor authentication (MFA), endpoint security, and Security Information and Event Management (SIEM) in the minds of IT executives as a key technology in the achievement of zero trust. That’s why 65% of organizations plan to adopt SSE in the next 24 months, with 43% planning on implementing before the end of 2023.

Zero trust is all about securing endpoints, applications, IT infrastructure, and data based on the assumption that any network or endpoint is always at risk of either internal or internal attack. Accordingly, zero trust means individuals are not automatically trusted just because they are on the network. They must prove who they are and are given limited access to only the systems they need. The same applies to devices. Zero trust verifies machine identities and picks up changes such as the browser being used for access. In essence, all devices and identities are not trusted and are denied access to corporate assets until they can meet a defined set of criteria.

SSE has quickly become a top strategic initiative for organizations due to the role it plays in Secure Access Service Edge (SASE) adoption and successful zero trust implementations. The study found that 67% plan to start their SASE strategy with an SSE platform, compared to 33% with SD-WAN. Why? SSE is seen as more secure while also bringing gains in terms of cost reduction and productivity.

Access Complexity

An area of confusion emerged in the study – access complexity. Researchers found that 63% of enterprises have at least three access security solutions in play. Nearly a quarter leverage six or more access solutions. As well as raising costs, management complexity, and taking up IT time, this mess of access applications inevitably leads to security holes. Cybercriminals are eager to exploit any areas where access controls are weak or missing. Users of legacy access solutions, in particular, believed their top challenge was that their current platforms granted too much inherent trust to users. This goes against the grain of the zero-trust mindset.

The survey showed that SSE services are seen as providing a means of reducing costs. The top two legacy solutions that enterprise security teams will look to replace with SSE in the coming year will be VPN Concentrators (63%) for VPN, SSL inspection services (50%), Distributed Denial of Service (DDoS) (44%), and data loss prevention (DLP) services (42%).

Implementing Zero Trust in the Enterprise

Security vendors are coming to market with all manner of tools aimed at achieving zero trust goals. The latest version of Syxsense Enterprise forwards these goals via an integrated Zero Trust module. By using Syxsense for vulnerability detection management and remediation, organizations have no need to add additional products or tools to achieve zero trust protection. Further, Syxsense Enterprise consolidates different tools for patching, vulnerability scanning, remediation, mobile device management (MDM), and zero trust in one unified platform. It blocks users on untrusted devices, automatically triggers actions to prevent breaches, and enables endpoint compliance using Zero Trust Network Access policies (ZTNA).

The Syxsense Zero Trust module, then, serves as a trust evaluation engine for endpoints. Security teams can use it to build sophisticated access policies, apply fixes and remediate issues in real time to enable (or block) access. In addition, remediation of non-compliant endpoints includes automation to take care of tasks such as deploying an urgently needed security patch, updating the anti-virus signature database, and alerting IT about unauthorized access attempts.

For more information, visit: www.syxsense.com